Management Kubernetes nodes must have auto upgrades set to true

ID

gcp_node_auto_upgrade_disabled

Severity

high

Vendor

GCP

Resource

General Security

Tags

non-reachable

Description

It is recommended to enable auto-upgrade when creating a node pool to avoid running outdated or vulnerable nodes.

To fix it, you must configure the management.auto_upgrade property of the container node pool with true.

Learn more about this topic at Standard cluster upgrades.

Examples

---
- name: create node pool
  google.cloud.gcp_container_node_pool:
    name: cpool
    initial_node_count: 1
    cluster: "{{ cluster }}"
    location: us-central1-a
    project: cproject
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    management:
      auto_repair: yes
      auto_upgrade: no

Mitigation / Fix

---
- name: create node pool
  google.cloud.gcp_container_node_pool:
    name: cpool
    initial_node_count: 1
    cluster: '{{ cluster }}'
    location: us-central1-a
    project: cproject
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    management:
      auto-repair: yes
      auto_upgrade: yes